ATT&CK coverage › Technique

Hijack Execution Flow: Path Interception by Unquoted Path `T1574.009`

Adversaries may execute their own malicious payloads by hijacking vulnerable file path references. Adversaries can take advantage of paths that lack surrounding quotations by placing an executable in a higher level directory within the path, so that Windows will choose the adversary's executable to launch.

Events covered

1 catalog event are tagged with this technique by at least one rule.

Provider	Event ID	Title
Security-Auditing	4688	A new process has been created.

Rules under this technique

Every rule in the catalog tagged with this technique, grouped by vendor. Click a rule title for its full predicates, exclusions, and indicators.

Kusto Query Language 1 rule

Powershell Empire Cmdlets Executed in Command Line 1 event, 0 indicators, 0 exclusions

Hijack Execution Flow: Path Interception by Unquoted Path T1574.009

Events covered

Rules under this technique

Kusto Query Language 1 rule

Hijack Execution Flow: Path Interception by Unquoted Path `T1574.009`